When the ACS:LAW scandal broke, the lives of thousands of people were turned upside down, up until that point people had been upset with letters threatening to take them to court for fictitious file sharing,

“The security measures ACS Law had in place were barely fit for purpose in a person’s home environment, let alone a business handling such sensitive details.”

Wow powerful stuff right?

The ICO went on

“As Mr Crossley was a sole trader it falls on the individual to pay the fine. Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed, given the severity of the breach. Penalties are a tool for achieving compliance with the law and, as set out in our criteria, we take people’s circumstances and their ability to pay into account.”

SAY WHAT????

“Were it not for the fact that ACS Law has ceased trading so that Mr Crossley now has limited means, a monetary penalty of £200,000 would have been imposed”

Hmmm so Crossley gets to CLOSE his company the very action which brought derision from Judge Birss along with many man people who had been affected by his nasty letters, and he gets off with a grand to pay becuase of this deception?

The ICO goes on to say:

The ICO’s investigation found serious flaws in ACS Law’s IT security system. Mr Crossley did not seek professional advice when setting up and developing the IT system which did not include basic elements such as a firewall and access control. In addition ACS Law’s web-hosting package was only intended for domestic use. Mr Crossley had received no assurances from the web-host that information would be kept secure.

While the firm should have been aware of their obligations under the Data Protection Act, they continued to act negligently and failed to ensure that appropriate technical and organisational measures were in place to keep personal information secure.

This is worse than outrageous, as ACS:LAW actually used the fact that people had not secured their home systems and used the fact against them. They did not care if an elderly person had not secured their router or modem or their computer, it was the persons fault and they were held to account for being negligent by ACS:LAW.

Andrew Crossley must be laughing at this and the rest of us now. A measly £1000 penalty for a man who bragged of making over £1,500,000 in a year, and who lavished expensive cars on himself and his girlfriend, this is a joke. A man who lives in a 7 bedroom house worth nearly a million pound yet he pleads poverty? The ICO has let us all down. They are unfit for purpose.

Indeed £1000 is less than the price of just two of his letters that he sent out to the general public.

The interview with Christopher Graham can be seen here, please don’t hold a hot drink whilst watching the sheer disconnect between the interview and the reality might just choke you.

Thnka for the excellent coverage of ACS Law, I have been waiting a while on this judgement and actually feel let down by the ICO for passing such a low fine. This was an opportunity for the ICO to show that it was not a toothless dog, and also, that it would not tolerate breaches to an individuals right to privacy.

All this decision has shown, is that (a) the ICO has no power and no desire to use any ‘supposed’ power it has been given and (b) it is okay for businesses and sole traders to carry on completely ignoring the DPA.

The fact that this person ending up making most of his money from the poorest in society is disgraceful, and the way they have been treated by ACS Law is a complete sham. The ICO should have given a substantial fine regardless of Crossleys own financial situation, just the same as Crossley ignored the financial situation of the people he was targeting.

The ICO should have been fined a large amount, but let him pay it in installments, that at least would have been some justice. The ICO has definitely failed on this one, and I am sure this news will leave the victims of ACS Law feeling very bitter.

Thanks again for the excellent coverage, and I’ll now visit the 2 links you posted, cheers ;)

Thanks for your excellent coverage as usual. Is there nothing to be done to persuade the ICO to look again? Or any benefit in complaining so that the guy who made this decision loses his job on the grounds of being incompetent? Do the views of those who’ve had their personal details spewed out of ACS’s database count for nothing?

The frustration here is that the people who should have known better i.e. Sky and BT released information to a tin pot company without doing any due diligence. Companies like this only thrive through the stupidity of organisations like Sky and BT. A 5.99 a month hosting service – come on. Anyway thanks for the update. I will writing to the MP and ICO.